Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, February 11, 2010

Complete DHS Daily Report for February 11, 2010

Daily Report

Top Stories

 Bloomberg reports that blizzard warnings were posted from Washington to Long Island, closing government offices, grounding 9 percent of U.S. flights, and forcing the closure of Interstates 83, 78, 77, 476, 176, 676, and parts of 81 in Pennsylvania. “It may take days for the infrastructure associated within [the Washington-Philadelphia-New York urban corridor] to fully recover,” said an energy meteorologist at Planalytics Inc. (See item 23)

23. February 10, Bloomberg – (National) Blizzard scrubs flights, snarls eastern U.S. cities. Blizzard warnings for as much as 20 inches of snow were posted from Washington to Long Island as a storm settled in for a daylong siege, closing government offices, grounding 9 percent of U.S. flights, and threatening 3 inches an hour for New York. Gusts of nearly 60 mph are expected from North Carolina to Massachusetts, which may knock down trees and power lines, causing widespread power disruptions, said the National Weather Service. “It may take days for the infrastructure associated within [the Washington-Philadelphia-New York urban corridor] to fully recover,” said a senior energy meteorologist at Planalytics Inc. New York-based Consolidated Edison Inc. is adding extra crews to help avert snow- and ice-related blackouts. Washington’s electric supplier Pepco pulled its crews off the streets because of unsafe conditions. The Pennsylvania Governor ordered Interstates 83, 78, 77, 476, 176, 676, and parts of 81 to close. New Jersey Transit said it would curtail its schedules after 2:30 p.m. Amtrak has not run a full schedule since last week’s storm and more trains were canceled Tuesday. More than 4,200 flights have been canceled in the United States so far Wednesday, or about 9 percent of the total schedule, according to More than 500 flights have been canceled for Thursday and “hundreds and hundreds more” are likely, said a spokesperson. Washington’s Dulles and Reagan National airports were closed. Source:

 According to the Associated Press, a former U.S. Army computer-security specialist has found a way to break into a chip that carries a “Trusted Platform Module” designation, billed as among the industry’s most secure. (See item 43 below in the Information Technology Sector)


Banking and Finance Sector

16. February 10, McHenry County Northwest Herald – (Illinois) Bomb threat made at bank. The Chicago FBI and Wauconda Police Department are investigating an attempted robbery that happened on February 9 at Wauconda Community Bank. According to initial reports, a lone male entered the bank and placed a package on a counter. He then turned and walked away. A note attached to the package claimed that a bomb was inside and instructed employees to place an unspecified amount of cash at a nearby location or the bomb would be detonated. The robbery attempt was unsuccessful, as no money was removed from the bank, according to an FBI news release. The bank and surrounding area were evacuated. No explosives were found inside the package, and no injuries were reported. Source:

17. February 10, – (National) iPhone users committing insurance fraud to get newest models. Apple has generated enormous customer loyalty with its line of computers and personal electronics. However, a recent report claims that many users of the company’s immensely popular iPhone may routinely commit insurance fraud in the hopes of picking up the newer, faster models. A director at Supercover Insurance claims that the number of lost, stolen or damaged phone complaints grows exponentially every time Apple launches a new generation of smartphone technology. Many service plans for the popular gadget allow the consumer to receive a replacement phone in the event of theft or irreparable damage — and those replacements are usually the latest model of the phone. Supercover tells PCR Magazine that iPhone owners are 60 percent more likely to take out insurance on their phone than users of any other brand. “While most customers take out insurance because they value their iPhone, we started to notice increases in claims as new and upgraded iPhones were launched — for short periods around new model or upgrade launches, claims for lost, stolen or damaged iPhones go through the roof,” the director told the magazine. Source:

18. February 9, Computerworld – (International) New Russian botnet tries to kill rival. An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called “Kill Zeus,” apparently removes the Zeus software from the victim’s PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own “botnet” networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules — U.S. residents with bank accounts — who then move the cash out of the country. Sensing an opportunity, a number of similar Trojans have emerged recently, including Filon, Clod and [Bugat], which was discovered just last month. Source:

19. February 9, DarkReading – (International) New banking trojan discovered targeting businesses’ financial accounts. The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan — one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals. The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It is built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing — attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar. To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But a security researcher with SecureWorks’ Counter Threat Unit (CTU) says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. The researcher says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. “We saw in the wild that it was being distributed from a specific Zeus botnet,” he says. “Oddly enough, its purpose is the same as Zeus ... but it’s something not as recognizable as Zeus or that’s cheaper [to purchase] in the long term.” Bugat’s main targets so far are business financial accounts. Source:

20. February 9, NewsFactor – (National) Red Condor warns of trending phishing campaign. Old is new again for scammers as spam emails targeting attorneys are once again on the rise. Email security experts at Red Condor have issued a warning for trending phishing attacks requesting legal representation to help in the “collection of delinquent accounts.” The majority of the messages with subject lines, including “Attn: Legal Counsel,” “Dear Attorney,” and “Legal Assistance,” appear to come from legitimate corporations from the Asia-Pacific region such as Nabtesco Corporation, Nippon Steel Corporation, South China Industrial Company and Turfchem Sdn. Bhd. Recent campaigns have also claimed to be from a London organization. But the emails actually originate from servers around the world, including Canada, Germany, Malaysia, Nigeria and the U.K. with a web mail sender address such as Yahoo. Source:

21. February 9, NBC New York – (New York) FBI hunts Queens bank robbers who use gun, fake bomb. Armed with a handgun and a fake bomb, two men have robbed four banks in Queens in the last two weeks. Nobody has been hurt in the hold-ups. But FBI and NYPD officials are worried it is only a matter of time before they hurt someone if they are not caught. This bank robbery spree began back on January 22 with a hold-up of the Queens County Savings bank on Jamaica Avenue. Another nearby branch was robbed just three days later. Then the suspects hit Chase banks along Northern Boulevard and Horace Harding Boulevard. Investigators said the pair has made off with tens of thousands of dollars so far. In each case, one of the suspects enters the bank with the gun and a device made up of two flares. The other suspect waits outside as a lookout. The suspects have worn dark long coats and hats during the robberies. Source:

22. February 9, Associated Press – (Georgia) Man charged with manufacturing fake Treasury bonds. A Duluth man has been charged with manufacturing more than $1.6 billion in fraudulent U.S. Treasury bonds and other government documents. Gwinnett County sheriff’s investigators say they learned on February 1 that the suspect wanted to purchase a home by using a registered promissory note supposedly certified by the U.S. Treasury Secretary. A Gwinnett police corporal says an attorney who received the note realized it was fake and notified police. On February 4, the suspect attended a loan closing at the attorney’s office, where the suspect presented the $225,000 note for payment to purchase a home in Lawrenceville. Investigators confirmed that the suspect signed the loan documents under false pretense and he was arrested. The 57-year-old is charged with residential mortgage fraud. Source:

Information Technology

40. February 10, The Register – (International) USB hack connects Droid to printers, video cams, and more. A reverse engineering expert has disclosed a way to make his Motorola Droid host USB-enabled devices, a hack that allows the smartphone for the first time to directly connect to printers, video cameras, TV tuners, and a wide variety of other peripherals. The modification was devised by a researcher from Kismet and a researcher of OpenWRT and shared with the world by the chief hacker for reverse engineering firm H4RDW4RE. Using a charging cable that plugs into a car’s cigarette lighter, a micro-USB cable, and a USB extender cable, he devised an improvised micro-dongle and connector cable. Getting the Droid to work with a Linux-enabled USB device is as simple as turning the smartphone off, connecting the cable to the host and peripheral and turning the Droid on. Once the Droid is booted, it should now work with the device. A user can even pull up a terminal and look at dmesg to see the usual kernel notifications that appear when new USB devices are connected. To be sure, the Droid is not the most robust of USB hosts. To change peripherals, a user needs to reboot the smartphone. What is more, leaving it plugged in too long causes the port to get stuck supplying power to devices but not actually recognizing them. Source:

41. February 10, – (International) 2010 World Cup cybercrime site set up. A new website is aiming to keep anyone looking for tickets or information about the 2010 World Cup safe from cybercriminals. The site,, has been set up by security firm Symantec to provide data, commentary, safety tips and useful links for football fans following the 2010 World Cup tournament. There have already been a number of security threats relating to the 2010 World Cup spotted and Symantec has already warned that we should expect many more. A senior analyst at Symantec Hosted Services said: “Phishing attacks increased by 66 percent during the Beijing Olympics in 2008. The fact that two undersea communications cables landed on South African shores last July will exacerbate the threat levels; history also shows that malicious activity increases in a country after new bandwidth is made available,” he continued. Source:

42. February 9, Ars Technica – (International) Apple investigating Mac Pro performance and heat issues. Recently, there have been some unusual issues affecting Nehalem-based Mac Pro models, characterized by abnormal performance degradation and CPU power draw when using on-board audio circuitry. Several sources have told Ars Technica that Apple support technicians are now saying the problem is known, and that the issue is being actively investigated by Apple engineers. The problem is most glaringly illustrated by merely playing music using iTunes. Though Activity Monitor will report just 1 to 3 percent CPU load, CPU power draw will increase tenfold and CPU temperatures will hover near the safe limits reported by Intel with little or no fan activity. Users were also able to reliably demonstrate a 20 percent decrease in performance, even with something as simple as plugging in FireWire or USB-based audio interfaces. Users note that the problem can be mitigated by using a PCIe-based audio card instead of on-board audio. So far, the problem has not been repeatable when the same Mac Pro hardware is booted into Windows, suggesting some conflict between Mac OS X and hardware drivers. Source:

43. February 9, Associated Press – (International) Summary Box: New attack shows security chip hole. A former U.S. Army computer-security specialist has found a way to break into a type of chip that protects the most important secrets inside many personal computers. The specialist attacked a chip that carries a “Trusted Platform Module” designation, billed as among the industry’s most secure. The attack also works on other chips based on the same design and used in satellite television equipment, video game consoles, and smart phones. Smart and well-funded attackers could steal confidential documents from computers they have stolen, tap text messages and e-mail from lost or stolen mobile phones, and pirate satellite TV signals. The chip’s manufacturer knew this type of attack was possible, but determined it was so tough to pull off that it had limited chance of affecting many users. Source:

44. February 9, Computerworld – (International) Researchers warn of likely attacks against Windows, PowerPoint. Some of the bugs Microsoft patched on February 9 will be exploited by hackers almost immediately, security researchers predicted. Microsoft’s massive update — a record-tying 13 separate security bulletins that patched 26 vulnerabilities — gives attackers all kinds of ways to compromise machines and hijack PCs. Even Microsoft said so: 12 of the 26 vulnerabilities, or 46 percent of the total, were tagged with a “1” in the company’s exploitability index, meaning that Microsoft figures they will be exploited with reliable attack code in the next 30 days. But some of the flaws will be exploited long before others, said researchers interviewed on February 9. The manager of TippingPoint’s Digital Vaccine group suggests that the vulnerabilities MS10-006 and MS10-012 could be exploited in a few days. MS10-006 and MS10-012 both involve SMB (Server Message Block), Windows file- and print-sharing protocols, but are not related. Source:

45. February 9, DarkReading – (International) China nudges out U.S. for most bot-infected machines. The U.S. may still rank number 1 in spam production, but China is now home to the most bot-infected machines that spew spam, as well as the source of most SQL injection attacks. China made up 12.1 percent of all spamming bots or zombies as of last year’s fourth quarter, while the U.S. dropped from 13.1 percent in the third quarter to 9.5, according to a new McAfee report. That puts the U.S. in the No. 2 position for bots. Interestingly, there has been a slow, downward trend worldwide in the number of newly infected bot machines spewing spam since June 2009, according to McAfee: That number went from 5 million in June and July to around 3.4 million in November, and then to about 3.9 million in December. Overall, spam volume has dropped during the winter months: After a record-breaking 175 billion spam messages per day in the third quarter, there was a 24 percent drop in the fourth quarter, to about 133 billion spam messages a day, McAfee says. McAfee says that trend will not last, however, because overall, spam volume is up 35 percent over the fourth quarter of 2008. Source:

46. February 9, The Register – (International) Feds say dev’s ‘cookie-stuffer’ app fleeced eBay. A Las Vegas web developer has been charged with fleecing eBay out of tens of thousands of dollars by selling a program that planted fraudulent web cookies on the PCs of people visiting the online auctioneer. Dubbed Saucekit, the program deposited a cookie on end users’ hard drives that contained a unique code identifying affiliate websites even though advertisements from those sites were never viewed, according to documents filed on February 9 in U.S. District Court in San Jose, California. Users who went on to take “revenue actions” on eBay would cause the affiliate to receive a referral fee it was not entitled to. From January 2009 to the following November, Saucekit’s creator actively promoted the cookie-stuffing program on his currently unavailable website and on hacking forums. Using the handle biglevel, he regularly discussed the technical and legal merits of the program. The cookie-stuffing program exploited the eBay Partner Network, which pays referral fees to websites when one of their advertisements leads to a sale on the online auctioneer’s site. The program works using web cookies that identify which site and advertisement were viewed just prior to the user visiting eBay. Saucekit directed user browsers to a website in Nevada, which deposited a cookie that identified a particular affiliate even though the website had not been visited. Source:

Communications Sector

47. February 10, Ironton Tribune – (Ohio) Fire knocks out phone service. Services on the Verizon phone lines in the Bradrick area of Chesapeake have been lost due to a structure fire. This will likely be an extended outage and affect a large part of eastern Lawrence County including parts or entire sections of Bradrick, Chesapeake, Union Township, Proctorville, Rome Township, and Athalia. The Lawrence County EMA office and 911 will be updated by Verizon as repairs progress. Early indications are that this will be an extended outage and that 911 calls will not be able to be made via land line from the affected area. The attached EAS message urges residents who need emergency assistance to use their cellular phones to report any law enforcement, EMS and fire. 911 centers in adjacent counties in Ohio, West Virginia, and Kentucky may experience additional calls from these affected areas. Procedures are in place in these counties to route calls to the Lawrence County 911 Center. The Lawrence County 911 Center is operating per normal procedures and will be working closely with these other counties to assure that emergency needs are taken care of as quickly as possible. Source:

48. February 8, WWSB 7 Sarasota – (Florida) 3 caught stealing copper from under Charlotte County bridge. Charlotte County Sheriff’s detectives arrested three people Saturday for cutting and stealing telephone copper wire under the U.S. 41 northbound bridge on the Port Charlotte side. A road deputy was flagged down about suspicious activity in that area and located three adults and two children. Deputies found holes exposing the phone cables which were cut with bolt cutters. A search of the vehicle located a shovel, posthole digger, and a bundle of copper wire. Two bolt cutters were found on the ground where the cables were cut. Detectives then charged all three adults with grand theft. Source: